Security testing is often a risk based approach. The risks with the highest priority must be tested first because they caused the biggest danger for the business. There are a lot of approaches to rate these security risks. One of them is to classify them with the CIA-rating. CIA means confidentiality, integrity and availability.

The end result is often a table like this:

In this case risk 2 is the highest one and needs the most attention.

Let me explain the CIA testing approach with an example. This example is partly fictional and partly the truth. The conversation as described after this paragraph was the conversation I had with a customer last week.

Customer: The goal of your test must be that you cover the complete CIA.
Me: What do you mean exactly with covering the CIA?
Customer: Covering the CIA means that you cover all C`s, all I`s and all A`s, in other words it`s not allowed that these CIA´s are still in the application
Me: hmmmm
Customer: The test experts we’ve had were always keen on these aspects
Me: Okay I understand it, let me explain what we do:
1) If we have a web application we count on every page the amount of C`s I`s and A`s.
2) Because you need an average of these we execute the following sum: (C*3+I*2+A*5)/10. This is because the A has more weight as the C because A is earlier in the alphabet
3) We do this for every possible page, every error messages, every form in the application and every URL. This gives you an amount of data.
4) From this data you have to derive the bell-curve.
5) If the risks with the highest rating are on the left side of the bell-curve you are in danger.

Do you understand?

Customer: No, can you summarize it?
Me: Uhm yes, what I want to say is, that with this approach, you’re save if you use less C`s I`s and A`s in your text.

As you can imagine this is not the right approach; counting the CIA`s in the text and using a formula to determine the risks. What you have to do is translate the aspects confidentiality, integrity and availability into concrete test cases that cover the risks you identified in an earlier stage. The OWASP top 10, that is on a high level, can help you with some inspiration. In my opinion most of the threats in this top 10 that are related to the every aspect of the CIA.

You can also use the STRIDE method of Microsoft. STRIDE means Spoofing, Tampering, Repudiation, Information leakage, Denial of Service and Elevation of privileges. All test you do can be mapped to this 6 terms.

A better way to create test cases and have some inspiration is to use the ASVS 2010 (I explained this in an earlier post). Also books like “Web application hackers handbook” are also very useful.

Make your risks smart and define proper test cases that can occur in real life.

1. Dean Mitchener Says:
   May 23rd, 2011 at 16:22

   Nicely explained – thanks